In the light of recent XZ events, and fundamental XZ issues lets work on
moving away from using XZ.
So, use gz compressed tarballs as sources whenever possible.
dwarves only offers bz2 compressed tarballs, so use those as size
difference is minor compared to XZ.
Signed-off-by: Robert Marko <robimarko@gmail.com>
dwarves
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The "tar" utility is required to bootstrap XZ which is required to handle
.tar.xz archives, therfore revert to using the bz2 archive.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>